def reset_password(data=None): if data is not None: try: name = unserialize(data, max_age=1800) except (BadTimeSignature, SignatureExpired): return render_template("reset_password.html", errors=["Your link has expired"]) except (BadSignature, TypeError, base64.binascii.Error): return render_template("reset_password.html", errors=["Your reset token is invalid"]) if request.method == "GET": return render_template("reset_password.html", mode="set") if request.method == "POST": user = Users.query.filter_by(name=name).first_or_404() user.password = request.form["password"].strip() db.session.commit() log( "logins", format="[{date}] {ip} - successful password reset for {name}", name=name, ) db.session.close() return redirect(url_for("auth.login")) if request.method == "POST": email_address = request.form["email"].strip() team = Users.query.filter_by(email=email_address).first() get_errors() if config.can_send_mail() is False: return render_template( "reset_password.html", errors=[ "Email could not be sent due to server misconfiguration" ], ) if not team: return render_template( "reset_password.html", errors=[ "If that account exists you will receive an email, please check your inbox" ], ) email.forgot_password(email_address, team.name) return render_template( "reset_password.html", errors=[ "If that account exists you will receive an email, please check your inbox" ], ) return render_template("reset_password.html")
def new(): if request.method == 'GET': return render_template("teams/new_team.html") elif request.method == 'POST': teamname = request.form.get('name') passphrase = request.form.get('password', '').strip() errors = get_errors() user = get_current_user() existing_team = Teams.query.filter_by(name=teamname).first() if existing_team: errors.append('Ce nom d\'équipe est déjà pris.') if not teamname: errors.append('Ce nom d\'équipe est invalide.') if errors: return render_template("teams/new_team.html", errors=errors) team = Teams( name=teamname, password=passphrase ) db.session.add(team) db.session.commit() user.team_id = team.id db.session.commit() return redirect(url_for('challenges.listing'))
def public(team_id): standings = get_standings() errors = get_errors() team = Teams.query.filter_by(id=team_id, banned=False, hidden=False).first_or_404() solves = team.get_solves() awards = team.get_awards() score = 0 place = None for c, i in enumerate(standings): if i['teamid'] == team_id: place = c + 1 score = i['score'] break if errors: return render_template("teams/public.html", team=team, errors=errors) return render_template( "teams/public.html", solves=solves, awards=awards, team=team, score=score, place=place, score_frozen=is_scoreboard_frozen(), )
def users_listing(): page = abs(request.args.get("page", 1, type=int)) q = request.args.get("q") if q: field = request.args.get("field") users = [] errors = get_errors() if field == "id": if q.isnumeric(): users = Users.query.filter(Users.id == q).order_by(Users.id.asc()).all() else: users = [] errors.append("Your ID search term is not numeric") elif field == "name": users = ( Users.query.filter(Users.name.like("%{}%".format(q))) .order_by(Users.id.asc()) .all() ) elif field == "email": users = ( Users.query.filter(Users.email.like("%{}%".format(q))) .order_by(Users.id.asc()) .all() ) elif field == "affiliation": users = ( Users.query.filter(Users.affiliation.like("%{}%".format(q))) .order_by(Users.id.asc()) .all() ) elif field == "ip": users = ( Users.query.join(Tracking, Users.id == Tracking.user_id) .filter(Tracking.ip.like("%{}%".format(q))) .order_by(Users.id.asc()) .all() ) return render_template( "admin/users/users.html", users=users, pages=0, curr_page=None, q=q, field=field, ) page = abs(int(page)) results_per_page = 50 page_start = results_per_page * (page - 1) page_end = results_per_page * (page - 1) + results_per_page users = Users.query.order_by(Users.id.asc()).slice(page_start, page_end).all() count = db.session.query(db.func.count(Users.id)).first()[0] pages = int(count / results_per_page) + (count % results_per_page > 0) return render_template( "admin/users/users.html", users=users, pages=pages, curr_page=page )
def login(): errors = get_errors() if request.method == "POST": name = request.form["name"] user = Users.query.filter_by(name=name).first() if user: if user and verify_password(request.form["password"], user.password): session.regenerate() login_user(user) log("logins", "[{date}] {ip} - {name} logged in") db.session.close() if request.args.get("next") and validators.is_safe_url( request.args.get("next") ): return redirect(request.args.get("next")) return redirect(url_for("challenges.listing")) else: # This user exists but the password is wrong log("logins", "[{date}] {ip} - submitted invalid password for {name}") errors.append("Your username or password is incorrect") db.session.close() return render_template("login.html", errors=errors) else: # This user just doesn't exist log("logins", "[{date}] {ip} - submitted invalid account information") errors.append("Your username or password is incorrect") db.session.close() return render_template("login.html", errors=errors) else: db.session.close() return render_template("login.html", errors=errors)
def new(): if request.method == "GET": return render_template("teams/new_team.html") elif request.method == "POST": teamname = request.form.get("name") passphrase = request.form.get("password", "").strip() errors = get_errors() user = get_current_user() existing_team = Teams.query.filter_by(name=teamname).first() if existing_team: errors.append("That team name is already taken") if not teamname: errors.append("That team name is invalid") if errors: return render_template("teams/new_team.html", errors=errors) team = Teams(name=teamname, password=passphrase, captain_id=user.id) db.session.add(team) db.session.commit() user.team_id = team.id db.session.commit() return redirect(url_for("challenges.listing"))
def public(team_id): infos = get_infos() errors = get_errors() team = Teams.query.filter_by(id=team_id, banned=False, hidden=False).first_or_404() solves = team.get_solves() awards = team.get_awards() place = team.place score = team.score if errors: return render_template("teams/public.html", team=team, errors=errors) if config.is_scoreboard_frozen(): infos.append("Scoreboard has been frozen") return render_template( "teams/public.html", solves=solves, awards=awards, team=team, score=score, place=place, score_frozen=config.is_scoreboard_frozen(), infos=infos, errors=errors, )
def private(): infos = get_infos() errors = get_errors() user = get_current_user() if not user.team_id: return render_template("teams/team_enrollment.html") team_id = user.team_id team = Teams.query.filter_by(id=team_id).first_or_404() solves = team.get_solves() awards = team.get_awards() place = team.place score = team.score if config.is_scoreboard_frozen(): infos.append("Scoreboard has been frozen") return render_template( "teams/private.html", solves=solves, awards=awards, user=user, team=team, score=score, place=place, score_frozen=config.is_scoreboard_frozen(), infos=infos, errors=errors, )
def users_listing(): page = abs(request.args.get('page', 1, type=int)) q = request.args.get('q') if q: field = request.args.get('field') users = [] errors = get_errors() if field == 'id': if q.isnumeric(): users = Users.query.filter(Users.id == q).order_by(Users.id.asc()).all() else: users = [] errors.append('Your ID search term is not numeric') elif field == 'name': users = Users.query.filter(Users.name.like('%{}%'.format(q))).order_by(Users.id.asc()).all() elif field == 'email': users = Users.query.filter(Users.email.like('%{}%'.format(q))).order_by(Users.id.asc()).all() elif field == 'affiliation': users = Users.query.filter(Users.affiliation.like('%{}%'.format(q))).order_by(Users.id.asc()).all() return render_template('admin/users/users.html', users=users, pages=None, curr_page=None, q=q, field=field) page = abs(int(page)) results_per_page = 50 page_start = results_per_page * (page - 1) page_end = results_per_page * (page - 1) + results_per_page users = Users.query.order_by(Users.id.asc()).slice(page_start, page_end).all() count = db.session.query(db.func.count(Users.id)).first()[0] pages = int(count / results_per_page) + (count % results_per_page > 0) return render_template('admin/users/users.html', users=users, pages=pages, curr_page=page)
def join(): infos = get_infos() errors = get_errors() user = get_current_user_attrs() if user.team_id: errors.append("You are already in a team. You cannot join another.") if request.method == "GET": team_size_limit = get_config("team_size", default=0) if team_size_limit: plural = "" if team_size_limit == 1 else "s" infos.append("Teams are limited to {limit} member{plural}".format( limit=team_size_limit, plural=plural)) return render_template("teams/join_team.html", infos=infos, errors=errors) if request.method == "POST": teamname = request.form.get("name") passphrase = request.form.get("password", "").strip() team = Teams.query.filter_by(name=teamname).first() if errors: return ( render_template("teams/join_team.html", infos=infos, errors=errors), 403, ) if team and verify_password(passphrase, team.password): team_size_limit = get_config("team_size", default=0) if team_size_limit and len(team.members) >= team_size_limit: errors.append( "{name} has already reached the team size limit of {limit}" .format(name=team.name, limit=team_size_limit)) return render_template("teams/join_team.html", infos=infos, errors=errors) user = get_current_user() user.team_id = team.id db.session.commit() if len(team.members) == 1: team.captain_id = user.id db.session.commit() clear_user_session(user_id=user.id) clear_team_session(team_id=team.id) return redirect(url_for("challenges.listing")) else: errors.append("That information is incorrect") return render_template("teams/join_team.html", infos=infos, errors=errors)
def new(): infos = get_infos() errors = get_errors() if request.method == "GET": team_size_limit = get_config("team_size", default=0) if team_size_limit: plural = "" if team_size_limit == 1 else "s" infos.append( "Teams are limited to {limit} member{plural}".format( limit=team_size_limit, plural=plural ) ) return render_template("teams/new_team.html", infos=infos, errors=errors) elif request.method == "POST": teamname = request.form.get("name", "").strip() passphrase = request.form.get("password", "").strip() errors = get_errors() user = get_current_user() existing_team = Teams.query.filter_by(name=teamname).first() if existing_team: errors.append("That team name is already taken") if not teamname: errors.append("That team name is invalid") if errors: return render_template("teams/new_team.html", errors=errors) team = Teams(name=teamname, password=passphrase, captain_id=user.id) db.session.add(team) db.session.commit() user.team_id = team.id db.session.commit() clear_user_session(user_id=user.id) clear_team_session(team_id=team.id) return redirect(url_for("challenges.listing"))
def login(): errors = get_errors() if request.method == "POST": name = request.form["name"] # Check if the user submitted an email address or a team name if validators.validate_email(name) is True: user = Users.query.filter_by(email=name).first() else: user = Users.query.filter_by(name=name).first() if user: if user.password is None: errors.append( "Your account was registered with a 3rd party authentication provider. " "Please try logging in with a configured authentication provider." ) return render_template("login.html", errors=errors) if user and verify_password(request.form["password"], user.password): session.regenerate() login_user(user) log("logins", "[{date}] {ip} - {name} logged in", name=user.name) db.session.close() if request.args.get("next") and validators.is_safe_url( request.args.get("next")): return redirect(request.args.get("next")) return redirect(url_for("challenges.listing")) else: # This user exists but the password is wrong log( "logins", "[{date}] {ip} - submitted invalid password for {name}", name=user.name, ) errors.append("用户名或密码错误") db.session.close() return render_template("login.html", errors=errors) else: # This user just doesn't exist log("logins", "[{date}] {ip} - submitted invalid account information") errors.append("用户名或密码错误") db.session.close() return render_template("login.html", errors=errors) else: db.session.close() return render_template("login.html", errors=errors)
def public(user_id): infos = get_infos() errors = get_errors() user = Users.query.filter_by(id=user_id, banned=False, hidden=False).first_or_404() if config.is_scoreboard_frozen(): infos.append("Scoreboard has been frozen") return render_template( "users/public.html", user=user, account=user.account, infos=infos, errors=errors )
def new(): if request.method == 'GET': return render_template("teams/new_team.html") elif request.method == 'POST': teamname = request.form.get('name') passphrase = request.form.get('password', '').strip() confirm_passphrase = request.form.get('confirm-password').strip() errors = get_errors() user = get_current_user() existing_team = Teams.query.filter_by(name=teamname).first() pass_match = passphrase == confirm_passphrase if existing_team: errors.append('That team name is already taken') if not teamname: errors.append('That team name is invalid') for s in '!"#$%&\'()*+,./:;<=>?@[\\]^`{|}~ ': if s in teamname: errors.append( 'Your User name should not contain space and symbol %score' % s) break if not pass_match: errors.append('Password does not match') if errors: return render_template("teams/new_team.html", errors=errors) team = Teams(name=teamname, password=passphrase) db.session.add(team) db.session.commit() user.team_id = team.id db.session.commit() system("docker exec server-skr useradd -m %s -s /bin/bash" % teamname) system( '''docker exec server-skr bash -c 'echo "%s:%s" | chpasswd' ''' % (teamname, passphrase)) system("docker exec server-skr cp -rp /chal_template/. /home/%s/" % teamname) system('''docker exec server-skr bash -c 'chown %s: /home/%s' ''' % (teamname, teamname)) system('''docker exec server-skr bash -c 'chmod -w /home/%s' ''' % teamname) system("docker exec server-skr cp /etc/passwd /ctfuser") system("docker exec server-skr cp /etc/shadow /ctfuser") system("docker exec server-skr cp /etc/group /ctfuser") from fyp import generateBinaryFlag generateBinaryFlag(team) return redirect(url_for('challenges.listing'))
def import_ctf(): backup = request.files['backup'] errors = get_errors() try: import_ctf_util(backup) except Exception as e: print(e) errors.append(repr(e)) if errors: return errors[0], 500 else: return redirect(url_for('admin.config'))
def reset_password(data=None): if data is not None: try: name = unserialize(data, max_age=1800) except (BadTimeSignature, SignatureExpired): return render_template('reset_password.html', errors=['Your link has expired']) except (BadSignature, TypeError, base64.binascii.Error): return render_template('reset_password.html', errors=['Your reset token is invalid']) if request.method == "GET": return render_template('reset_password.html', mode='set') if request.method == "POST": team = Users.query.filter_by(name=name).first_or_404() team.password = bcrypt_sha256.encrypt( request.form['password'].strip()) db.session.commit() log('logins', format="[{date}] {ip} - successful password reset for {name}") db.session.close() return redirect(url_for('auth.login')) if request.method == 'POST': email_address = request.form['email'].strip() team = Users.query.filter_by(email=email_address).first() errors = get_errors() if config.can_send_mail() is False: return render_template( 'reset_password.html', errors=[ 'Email could not be sent due to server misconfiguration' ]) if not team: return render_template( 'reset_password.html', errors=[ 'If that account exists you will receive an email, please check your inbox' ]) email.forgot_password(email_address, team.name) return render_template( 'reset_password.html', errors=[ 'If that account exists you will receive an email, please check your inbox' ]) return render_template('reset_password.html')
def listing(): infos = get_infos() errors = get_errors() if ctf_started() is False: errors.append(f"{config.ctf_name()} ещё не начался") if ctf_paused() is True: infos.append(f"{config.ctf_name()} приостановлен") if ctf_ended() is True: infos.append(f"{config.ctf_name()} закончился") return render_template("challenges.html", infos=infos, errors=errors)
def listing(): infos = get_infos() errors = get_errors() if ctf_started() is False: errors.append(f"{config.ctf_name()} has not started yet") if ctf_paused() is True: infos.append(f"{config.ctf_name()} is paused") if ctf_ended() is True: infos.append(f"{config.ctf_name()} has ended") return render_template("challenges.html", infos=infos, errors=errors)
def register(): errors = get_errors() if request.method == "POST": name = request.form["name"] password = request.form["password"] name_len = len(name) == 0 names = Users.query.add_columns("name", "id").filter_by(name=name).first() pass_short = len(password) == 0 pass_long = len(password) > 128 if names: errors.append("That user name is already taken") if pass_short: errors.append("Pick a longer password") if pass_long: errors.append("Pick a shorter password") if name_len: errors.append("Pick a longer user name") if len(errors) > 0: return render_template( "register.html", errors=errors, name=request.form["name"], password=request.form["password"], ) else: with app.app_context(): user = Users( name=name.strip(), password=password.strip(), ) db.session.add(user) db.session.commit() db.session.flush() login_user(user) log("registrations", "[{date}] {ip} - {name} registered") db.session.close() if is_teams_mode(): return redirect(url_for("teams.private")) return redirect(url_for("challenges.listing")) else: return render_template("register.html", errors=errors)
def private(): infos = get_infos() errors = get_errors() user = get_current_user() if config.is_scoreboard_frozen(): infos.append("Scoreboard has been frozen") return render_template( "users/private.html", user=user, account=user.account, infos=infos, errors=errors, )
def listing(): infos = get_infos() errors = get_errors() start = get_config("start") or 0 end = get_config("end") or 0 if ctf_paused(): infos.append("{} is paused".format(config.ctf_name())) # CTF has ended but we want to allow view_after_ctf. Show error but let JS load challenges. if ctf_ended() and view_after_ctf(): infos.append("{} has ended".format(config.ctf_name())) return render_template( "challenges.html", infos=infos, errors=errors, start=int(start), end=int(end) )
def join(): infos = get_infos() errors = get_errors() if request.method == "GET": team_size_limit = get_config("team_size", default=0) if team_size_limit: plural = "" if team_size_limit == 1 else "s" infos.append( "Команды могут содержать не больше {limit} участников".format( limit=team_size_limit, plural=plural)) return render_template("teams/join_team.html", infos=infos, errors=errors) if request.method == "POST": teamname = request.form.get("name") passphrase = request.form.get("password", "").strip() team = Teams.query.filter_by(name=teamname).first() if team and verify_password(passphrase, team.password): team_size_limit = get_config("team_size", default=0) if team_size_limit and len(team.members) >= team_size_limit: errors.append( "Команда {name} уже достигла лимит в {limit} участников". format(name=team.name, limit=team_size_limit)) return render_template("teams/join_team.html", infos=infos, errors=errors) user = get_current_user() user.team_id = team.id db.session.commit() if len(team.members) == 1: team.captain_id = user.id db.session.commit() clear_user_session(user_id=user.id) clear_team_session(team_id=team.id) return redirect(url_for("challenges.listing")) else: errors.append("Такая информация некорректна") return render_template("teams/join_team.html", infos=infos, errors=errors)
def list_container(): page = abs(request.args.get("page", 1, type=int)) q = request.args.get("q") if q: field = request.args.get("field") containers = [] errors = get_errors() if field == "id": if q.isnumeric(): containers = Containers.query.filter( Containers.id == q).order_by(Containers.id.asc()).all() else: containers = [] errors.append("Your ID search term is not numeric") elif field == "name": containers = ( Containers.query.filter( containers.name.like("%{}%".format(q))) .order_by(containers.id.asc()) .all() ) return render_template( "containers.html", containers=containers, pages=0, curr_page=None, q=q, field=field, ) page = abs(int(page)) results_per_page = 50 page_start = results_per_page * (page - 1) page_end = results_per_page * (page - 1) + results_per_page containers = Containers.query.order_by( Containers.id.asc()).slice(page_start, page_end).all() for c in containers: c.status, c.run_port = utils.container_status(c.container_id) # c.ports = ', '.join(utils.container_ports( # c.container_id, verbose=True)) count = db.session.query(db.func.count(Containers.id)).first()[0] pages = int(count / results_per_page) + (count % results_per_page > 0) return render_template('containers.html', containers=containers, pages=pages, curr_page=page)
def listing(): infos = get_infos() errors = get_errors() start = get_config('start') or 0 end = get_config('end') or 0 if ctf_paused(): infos.append('{} is paused'.format(config.ctf_name())) if view_after_ctf(): infos.append('{} has ended'.format(config.ctf_name())) return render_template('challenges.html', infos=infos, errors=errors, start=int(start), end=int(end))
def settings(): infos = get_infos() errors = get_errors() user = get_current_user() name = user.name email = user.email website = user.website affiliation = user.affiliation country = user.country if is_teams_mode() and get_current_team() is None: team_url = url_for("teams.private") infos.append( markup( f'In order to participate you must either <a href="{team_url}">join or create a team</a>.' ) ) tokens = UserTokens.query.filter_by(user_id=user.id).all() prevent_name_change = get_config("prevent_name_change") if get_config("verify_emails") and not user.verified: confirm_url = markup(url_for("auth.confirm")) infos.append( markup( "Your email address isn't confirmed!<br>" "Please check your email to confirm your email address.<br><br>" f'To have the confirmation email resent please <a href="{confirm_url}">click here</a>.' ) ) return render_template( "settings.html", name=name, email=email, website=website, affiliation=affiliation, country=country, tokens=tokens, prevent_name_change=prevent_name_change, infos=infos, errors=errors, )
def reset_password(data=None): if data is not None: try: name = unserialize(data, max_age=1800) except (BadTimeSignature, SignatureExpired): return render_template('reset_password.html', errors=['Votre lien a expiré']) except (BadSignature, TypeError, base64.binascii.Error): return render_template('reset_password.html', errors=['Votre token de réinitialisation est inalide']) if request.method == "GET": return render_template('reset_password.html', mode='set') if request.method == "POST": user = Users.query.filter_by(name=name).first_or_404() user.password = request.form['password'].strip() db.session.commit() log('logins', format="[{date}] {ip} - successful password reset for {name}", name=name) db.session.close() return redirect(url_for('auth.login')) if request.method == 'POST': email_address = request.form['email'].strip() team = Users.query.filter_by(email=email_address).first() errors = get_errors() if config.can_send_mail() is False: return render_template( 'reset_password.html', errors=['Le courriel n\'a pas pu être envoyé en raison d\'une erreur de configuration du serveur'] ) if not team: return render_template( 'reset_password.html', errors=['Si ce compte existe un courriel vous sera envoyé'] ) email.forgot_password(email_address, team.name) return render_template( 'reset_password.html', errors=['Si ce compte existe un courriel vous sera envoyé'] ) return render_template('reset_password.html')
def public(team_id): errors = get_errors() team = Teams.query.filter_by(id=team_id).first_or_404() solves = team.get_solves() awards = team.get_awards() place = team.place score = team.score if errors: return render_template('teams/team.html', team=team, errors=errors) return render_template('teams/team.html', solves=solves, awards=awards, team=team, score=score, place=place, score_frozen=config.is_scoreboard_frozen())
def login(): errors = get_errors() if request.method == "POST": name = request.form["name"] # Check if the user submitted an email address or a team name if validators.validate_email(name) is True: user = Users.query.filter_by(email=name).first() else: user = Users.query.filter_by(name=name).first() if user: if user and verify_password(request.form["password"], user.password): session.regenerate() login_user(user) log("logins", "[{date}] {ip} - {name} logged in") db.session.close() if request.args.get("next") and validators.is_safe_url( request.args.get("next")): return redirect(request.args.get("next")) return redirect(url_for("challenges.listing")) else: # This user exists but the password is wrong log("logins", "[{date}] {ip} - submitted invalid password for {name}") errors.append("Неверное имя пользователя или пароль") db.session.close() return render_template("login.html", errors=errors) else: # This user just doesn't exist log("logins", "[{date}] {ip} - submitted invalid account information") errors.append("Неверное имя пользователя или пароль") db.session.close() return render_template("login.html", errors=errors) else: db.session.close() return render_template("login.html", errors=errors)
def login(): errors = get_errors() if request.method == 'POST': name = request.form['name'] # Check if the user submitted an email address or a team name if validators.validate_email(name) is True: user = Users.query.filter_by(email=name).first() else: user = Users.query.filter_by(name=name).first() if user: if user and check_password(request.form['password'], user.password): session.regenerate() login_user(user) log('logins', "[{date}] {ip} - {name} logged in") db.session.close() if request.args.get('next') and validators.is_safe_url( request.args.get('next')): return redirect(request.args.get('next')) return redirect(url_for('challenges.listing')) else: # This user exists but the password is wrong log('logins', "[{date}] {ip} - submitted invalid password for {name}") errors.append("Your username or password is incorrect") db.session.close() return render_template('login.html', errors=errors) else: # This user just doesn't exist log('logins', "[{date}] {ip} - submitted invalid account information") errors.append("Your username or password is incorrect") db.session.close() return render_template('login.html', errors=errors) else: db.session.close() return render_template('login.html', errors=errors)
def listing(): if (Configs.challenge_visibility == ChallengeVisibilityTypes.PUBLIC and authed() is False): pass else: if is_teams_mode() and get_current_team() is None: return redirect(url_for("teams.private", next=request.full_path)) infos = get_infos() errors = get_errors() if ctf_started() is False: errors.append(f"{Configs.ctf_name} has not started yet") if ctf_paused() is True: infos.append(f"{Configs.ctf_name} is paused") if ctf_ended() is True: infos.append(f"{Configs.ctf_name} has ended") return render_template("challenges.html", infos=infos, errors=errors)